October 2025 Infostealer Trend Report
This report provides statistics, trends, and case information on Infostealer malware such as distribution volume, distribution methods, and disguising techniques, which were collected and analyzed for one month in October 2025. The following is a summary of the report.
1) Data Source and Collection Method
AhnLab SEcurity intelligence Center (ASEC) operates various systems that can automatically collect malware being distributed to respond to Infostealer malware in advance. The collected malware is analyzed by the automatic analysis system to determine its maliciousness and C2 information. Relevant information is provided in real-time through the ATIP IOC service and can also be found in the relevant information on the ATIP File Analysis Information page.
AhnLab’s self-built system
- Crack disguise malware automatic collection system
- Email honeypot system
- Malware C2 automatic analysis system
ATIP Real-time IOC service
C2 and Malware Type Analysis Information
- File Analysis Information – Related Information – Contacted URLs
It is recommended to use the statistics in this report to examine the overall distribution quantity, disguise techniques, and distribution trends of Infostealers.
2) Infostealers Distributed with Crack Disguise
This is a statistic on Infostealers distributed as illegal programs such as cracks and keygens. The malware is distributed using a strategy called SEO poisoning, which involves manipulating search engine results to display the malware distribution posts at the top. ASEC has established a system that automatically collects malware distributed in this way and analyzes C2 information to block the malware’s C2 in real-time and provide relevant information through ATIP. In October, Rhadamanthys, ACRStealer, and LummaC2 were the most commonly distributed Infostealers. The quantity of LummaC2 sharply decreased at the end of September, but it became actively distributed again at the end of October.
Figure 1. Malware distribution page
The following chart shows the amount of malware distributed using this method in the past year. The second legend shows the amount of malware collected by AhnLab that did not have relevant information on VirusTotal at the time of the collection. It can be seen that AhnLab collected and responded to most of the malware through its automatic collection system.
Chart 1. Quantity of Malware Distributed Annually
Previously, threat actors would create blog posts on their own blogs to distribute malware. However, search engines began taking measures to prevent these malicious blogs from appearing in search results. To bypass this, threat actors are now distributing malware by creating posts on legitimate websites. They are using well-known forums, Q&A pages of certain companies, free boards, and comments. The following image shows an example of a post used to distribute malware that has been uploaded to various communities. Posts uploaded in this manner are ranked highly in search engine results, making it more likely for many users to visit them.
Figure 2. A distribution post published on the legitimate website (slideshare.net)
Figure 3. A post promoting the fake site on a legitimate site (youtube.com)
As shown above, there are two types of execution methods for the distributed Infostealer: being distributed in EXE format, and using the DLL SideLoading technique, which involves placing a legitimate EXE file and a malicious DLL file in the same folder, allowing the malicious DLL file to be loaded when the legitimate EXE file is executed. In October, 45.0% of the malware samples were distributed in EXE format while 55.0% used the DLL SideLoading technique. This marks a significant increase in the proportion of malware samples distributed using the DLL SideLoading technique compared to the previous month. LummaC2 is mainly distributed in EXE format, while ACRStealer is mainly distributed using the DLL SideLoading technique. DLL SideLoading malware is created by modifying only a portion of a legitimate DLL file and leaving the rest intact, making it look almost identical to the original file. As a result, many other security solutions may mistakenly classify the malware as a legitimate file, so caution is advised.
Trend #1
– Mass distribution of a new type of Loader malware
Downloader malware that connects to the C2 and installs malware or executes malicious PowerShell commands according to the C2 commands is being massively distributed. Unlike the existing types that are made to look like normal DLLs, the malware uses a different type of DLL from the original and distributes it in large quantities. Additionally, while the name of the encrypted shellcode file used to change with each distribution, the file name used in this malware is consistent, starting with “._”.
Figure 4. Structure of new DLL Sideloading type
Upon execution, it connects to the C2 to download the configuration data and performs malicious behaviors according to this configuration.
It is characteristic of using the “/nfront.php” and “/nback.php” paths in C2 connection format.
[C2]
hxxps://evgshippingline[.]com/nfront.php (Receive configuration file)
hxxps://evgshippingline[.]com/nback.php (Send execution result)
Connects to /nfront.php to download the encrypted configuration data. The file includes a URL and a decryption key to install additional malware, as well as a PowerShell command to be executed later. At the time of analysis, this configuration was used to download and execute the Rhadamanthys Infostealer. The PowerShell command was used to download a PowerShell script from the C2, which replaces a browser plugin with a malicious script.
Download URL
hxxps://mijnplug[.]com/vPByUaGJ/149.bin (Additional malware encrypted file)
hxxps://jpg.namaramalan[.]com/6joCvF/2110.txt (Encoded PowerShell script)
Figure 5. Configuration data
Trend #2
– Change in the distribution volume of LummaC2 Infostealer
For a long time, LummaC2 Infostealer has been overwhelmingly the most distributed malware. However, there have been cases where its distribution has been halted for a certain period of time. This may be a sign of a change in attack strategies, such as switching to other malware, so caution is advised.
Chart 2. LummaC2 distribution
For more information on statistics not covered in this summary, statistics on disguise target companies and original file names, distribution, and detection count statistics, and Infostealer-related information by phishing email, please refer to the full ATIP report.
